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Amendments to the Claims 

1 . (Currently Amended) A method of determining if a packet has a spoofed source 
Internet Protocol (IP) address, comprising: 

evaluating a source media access control (MAC) address of the packet and the source IP 
address to determine if the source IP address of the packet has been bound to the source MAC 
address at a source device of the packet; and 

determining that the source IP address of the packet is spoofed if the source IP address is 
not bound to the source MAC address^ 

wherein evaluating a source MAC address of the packet and the source IP address further 
comprises: 

identifying an entry in an address resolution protocol (ARP) table corresponding to the 
source MAC address; 

comparing an IP address of the identified entry to the source IP address to determine if 
the IP address of the identified entry corresponds to the source IP address; 

identifying the source IP address as bound to the source MAC address at the source 
device if the IP address of the identified entry corresponds to the source IP address; 

sending an ARP request to the source IP address if no entry in the ARP table is identified 
as corresponding to the source MAC address; and 

incorporating an entry corresponding to the MAC address into the ARP table if a 
response is received to the ARP request . 

2. (Currently Amended) The method of Claim 1 , wherein th e step of determining 
that the source IP address of the packet is spoofed if the source IP address is not bound to the 
source MAC address further comprises determining that the source IP address is spoofed if the 
source IP address is not bound to the source MAC address and the source MAC address is not 
associated with a gateway routing device. 



3. (Currently Amended) The method of Claim 2, further comprising th e st e ps of : 
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determining if the source MAC address is identified in an addr e ss r e solution protocol 
(ARP) ARP table as a MAC address of a routing device to determine if the source MAC address 
is associated with a gateway routing device. 

4. (Currently Amended) The method of Claim 3, wherein th e st e p of determining if 
the source MAC address is identified in an ARP table is preceded b y th e st e ps of : 

determining if an IP address of a gateway routing device is to be added to a routing table; 
sending an ARP request to the IP address of the gateway routing device; 
receiving a response to the ARP request that identifies a MAC address of the gateway 
routing device; 

updating the ARP table with the MAC address of the gateway routing device; and 
identifying the MAC address in the ARP table as associated with a gateway routing 

device. 

5. (Currently Amended) The method of Claim 2, further comprisin g th e st e ps of : 
determining IP addresses associated with the source MAC address in an addr ess 

r e solution protocol (ARP) ARP table; 

determining if the IP addresses associated with the source MAC address in the ARP table 
are associated with a gateway routing device to determine if the source MAC address is 
associated with a gateway routing device; and 

determining that the source IP address is not spoofed if the source MAC address is 
associated with a gateway routing device. 

6. (Currently Amended) The method of Claim 5, wherein th e st e p of determining if 
the IP addresses associated with the source MAC address in the ARP table are associated with a 
gateway routing device comprises searching a routing table for the IP addresses to determine if 
any of the IP addresses are associated with a gateway routing device in the routing table to 
determine if the source MAC address is associated with a gateway routing device. 



7-9. (Canceled). 
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10. (Currently Amended) The method of Claim 9 Claim K further comprising th e st o p 
ef identifying the source IP address as not bound to the source MAC address if a response is not 
received to the ARP request. 

1 1 . (Currently Amended) The method of Claim 9 Claim K further comprising th e st e p 
ef discarding the packet if no entry in the ARP table corresponding to the MAC address has an 
IP address which corresponds to the source IP address. 

12. (Currently Amended) The method of Claim 9 Claim 1 , further comprising-the 
st e ps of : 

determining if the source IP address is associated with a routing device; 

forwarding the packet if the source IP address is associated with a routing device; and 

discarding the packet if the source IP address is not associated with a routing device and 

if no entry in the ARP table corresponding to the MAC address has an IP address which 

corresponds to the source IP address. 

13-19. (Canceled). 

20. (Currently Amended) The method of Claim 19 Claim 1 , further comprising the 
step-ef discarding the packet if the source MAC address is associated with more than a 
predefined number of IP addresses. 

21 . (Original) The method of Claim 20, wherein the predefined number of IP 
addresses is associated with the source device. 

22. (Original) The method of Claim 20, wherein the predefined number of IP 
addresses is associated with a subnet associated with the MAC address. 
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23. (Currently Amended) The method of Claim 19 Claim L further comprising the 
step-ef discarding the packet if the source IP address is associated with at least one MAC address 
other than the source MAC address. 

24. (Currently Amended) The method of Claim 19 Claim 1 , further comprising the 
st e p of forwarding the packet if the source EP address indicates that the packet is a dynamic host 
configuration protocol (DHCP) request. 

25. (Currently Amended) The method of Claim 24, wherein th e st e p of forwarding 
the packet comprises forwarding the packet if the source IP address indicates that the packet is a 
dynamic host configuration protocol (DHCP) request and the contents of the packet indicate that 
the packet is a DHCP request. 

26-28. (Canceled). 

29. (Currently Amended) The method of Claim 28, wh e r e in the corr e ctiv e action 
further compris e s Claim 1 1, further comprising logging MAC addresses of discarded packets 
with spoof e d sourc e IP addr e ss e s . 

30. (Currently Amended) The method of Claim 27, wh e r e in th e corr e ctiv e action 
compris e s Claim L further comprising notifying a system administrator of the a subnet of the 
source device e £and the presence of a spoofed source IP address in a packet from the source 
device when no entry in the ARP table corresponding to the MAC address has an IP address 
which corresponds to the source IP address . 

3 1 . (Currently Amended) The method of Claim 27 Claim 11 , wherein a destination 
device of the packet comprises a network attached storage device and wherein discarding the 
packet if no entry in the ARP table corresponding to the MAC address has an IP address which 
corresponds to the source IP address is carried out so that the packet is not forwarded the 
corr e ctiv e action compris e s discarding th e packet befor e the pack e t is forward e d to an Internet 



In re: Doyle et al. 
Serial No.: 09/930,351 
Filed: August 15,2001 
Page 7 of 16 

Protocol (IP) layer of the network attached storage d e vic e s device so as to increase the 
availability of the network attached storage device in the event of a denial of service attack. 

32. (Currently Amended) The method of Claim 27 Claim 1 , further comprising4he 
st e ps of : 

monitoring packets from a source device to determine if the source device has more EP 
addresses bound to the MAC address of the source device than a predefined limit; and 

identifying the source device as having more IP addresses bound to its MAC address than 
the predefined limit so as to allow corrective action to be taken to reduce network degradation as 
a result of a denial of service attack utilizing the spoofed source IP addr e sses address bound to 
the MAC address of the source device. 

33. (Currently Amended) The method of Claim 32, wherein the corrective action to 
be taken to reduce network degradation as a result of a denial of service attack utilizing the 
spoofed source IP addr e ss e s address bound to the MAC address of the source device comprises 
discarding packets from the source device. 

34. (Currently Amended) The method of Claim 33, wherein the corrective action to 
be taken to reduce network degradation as a result of a denial of service attack utilizing the 
spoofed source IP addr e ss e s address bound to the MAC address of the source device comprises 
notifying a system administrator that the source device has more EP address bound to its MAC 
address than the predefined limit. 

35. (Currently Amended) The method of Claim 32, further comprising th e st e p of 
establishing the predefined limit based on characteristics of the source device. 

36. (Currently Amended) The method of Claim 32, further comprising th e step of 
establishing the predefined limit as a common limit for all devices on a subnet of the source 
device. 
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37. (Currently Amended) The method of Claim 27 Claim U further comprising-the 
st e ps of : 

determining if a source IP address is bound to a MAC addr e ss e s address of more than one 
source device; and 

identifying the source devices having the IP address bound to the MAC addresses so as to 
allow corrective action to be taken to reduce network degradation as a result of a denial of 
service attack utilizing [[a]] the spoofed source IP address bound to the MAC addresses of the 
source devices. 

38. (Currently Amended) The method of Claim 37, wherein the corrective action to 
be taken to reduce network degradation as a result of a denial of service attack utilizing [[a]] the 
spoofed source IP address bound to the MAC addresses of the source devices comprises 
discarding packets from the source d e vices device . 

39. (Currently Amended) The method of Claim 37, wherein the corrective action to 
be taken to reduce network degradation as a result of a denial of service attack utilizing [[a]] the 
spoofed source IP address bound to the MAC addresses of the source devices comprises 
notifying a system administrator that the IP address is bound to MAC addresses of more than one 
source device. 

40. (Currently Amended) A system for determining if a packet has a spoofed source 
Internet Protocol (IP) address, comprising: 

means for evaluating a source media access control (MAC) address of the packet and the 
source IP address to determine if the source IP address of the packet has been bound to the 
source MAC address at a source device of the packet; and 

means for determining that the source IP address of the packet is spoofed if the source IP 
address is not bound to the source MAC address^ 

wherein the means for evaluating a source MAC address of the packet and the source IP 
address is further configured to identify an entry in an address resolution protocol (ARP) table 
corresponding to the source MAC address, to compare an IP address of the identified entry to the 
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source IP address to determine if the IP address of the identified entry corresponds to the source 
IP address, to identify the source IP address as bound to the source MAC address at the source 
device if the IP address of the identified entry corresponds to the source IP address, to send an 
ARP request to the source IP address if no entry in the ARP table is identified as corresponding 
to the source MAC address, and to incorporate an entry corresponding to the MAC address into 
the ARP table if a response is received to the ARP request . 

41. (Original) The system of Claim 40, wherein the system comprises a routing 

device. 

42. (Original) The system of Claim 40, wherein the system comprises a monitoring 

device. 

43. (Original) The system of Claim 40, wherein the system comprises an endpoint 

device. 

44. (Canceled). 

45. (Currently Amended) A computer program product for determining if a packet 
has a spoofed source Internet Protocol (IP) address, comprising: 

a computer readable media having computer readable program code embodied therein, 
the computer readable program code comprising: 

computer readable program code that evaluates a source media access control (MAC) 
address of the packet and the source IP address to determine if the source IP address of the 
packet has been bound to the source MAC address at a source device of the packet; and 

computer readable program code that determines that the source IP address of the packet . 
is spoofed if the source IP address is not bound to the source MAC address^ 

wherein the computer readable program code that evaluates a source media access control 
(MAC) address of the packet and the source IP address further comprises computer readable 
program code that identifies an entry in an address resolution protocol (ARP) table 
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corresponding to the source MAC address, that compares an IP address of the identified entry to 
the source IP address to determine if the IP address of the identified entry corresponds to the 
source IP address, that identifies the source IP address as bound to the source MAC address at 
the source device if the IP address of the identified entry corresponds to the source IP address, 
that sends an ARP request to the source IP address if no entry in the ARP table is identified as 
corresponding to the source MAC address, and that incorporates an entry corresponding to the 
MAC address into the ARP table if a response is received to the ARP request . 

46. (Canceled). 



